diff --git a/.github/workflows/generate-augmented-sbom.yml b/.github/workflows/generate-augmented-sbom.yml new file mode 100644 index 0000000000..ec4dbd482f --- /dev/null +++ b/.github/workflows/generate-augmented-sbom.yml @@ -0,0 +1,100 @@ +name: Augment SBOM + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version (e.g. 1.42.2)" + required: true + type: string + +permissions: + id-token: write + contents: read + +jobs: + augment-sbom: + runs-on: ubuntu-latest + + env: + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} + + steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + with: + config: ${{ vars.PERMISSIONS_CONFIG }} + + - name: Checkout repo + uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + + - name: Download Linux ARM64 binary + run: | + curl -L "https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${{ inputs.release_version }}/mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64.tar.gz" \ + -o release.tar.gz + + - name: Extract binary + run: | + tar -xzf release.tar.gz + + - name: Generate PURLs from binary + run: | + go version -m ./mongodb-atlas-cli_${{ inputs.release_version }}_linux_arm64/bin/atlas | \ + awk '$1 == "dep" || $1 == "=>" { print "pkg:golang/" $2 "@" $3 }' | \ + LC_ALL=C sort > purls.txt + cat purls.txt + + - name: Generate SBOM with Silkbomb + run: | + docker run \ + --pull=always \ + --platform="linux/amd64" \ + --rm \ + -v "${PWD}:/pwd" \ + "${SILKBOMB_IMG}" \ + update \ + --purls "/pwd/purls.txt" \ + --sbom-out "/pwd/sbom_lite.json" + cat "sbom_lite.json" + + - name: Get current date + id: date + run: | + echo "date=$(date +'%Y-%m-%d')" >> "$GITHUB_ENV" + + - name: Augment SBOM with Kondukto + run: | + docker run \ + --pull=always \ + --platform="linux/amd64" \ + --rm \ + -v "${PWD}:/pwd" \ + -e "KONDUKTO_TOKEN=${KONDUKTO_TOKEN}" \ + "${SILKBOMB_IMG}" \ + augment \ + --sbom-in "/pwd/sbom_lite.json" \ + --repo "${KONDUKTO_REPO}" \ + --branch "${KONDUKTO_BRANCH_PREFIX}-linux-arm64" \ + --sbom-out "/pwd/linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json" + + - name: Generate SSDLC report + env: + AUTHOR: ${{ github.actor }} + VERSION: ${{ inputs.release_version }} + AUGMENTED_REPORT: "true" + run: ./build/package/gen-ssdlc-report.sh + + - name: Upload augmented SBOM as artifact + uses: actions/upload-artifact@v4 + with: + name: augmented_sbom_and_ssdlc_report + path: | + linux-amd64-augmented-sbom-v${{ inputs.release_version }}-${{ env.date }}.json + ssdlc-compliance-${{ inputs.release_version }}-${{ env.date }}.md + if-no-files-found: error diff --git a/.github/workflows/update-ssdlc-report.yaml b/.github/workflows/update-ssdlc-report.yaml index 00a55c5114..ca4a115c8c 100644 --- a/.github/workflows/update-ssdlc-report.yaml +++ b/.github/workflows/update-ssdlc-report.yaml @@ -38,6 +38,7 @@ jobs: env: AUTHOR: ${{ steps.extract.outputs.author }} VERSION: ${{ steps.extract.outputs.version }} + AUGMENTED_REPORT: "false" run: ./build/package/gen-ssdlc-report.sh - name: set Apix Bot token id: app-token diff --git a/build/package/gen-ssdlc-report.sh b/build/package/gen-ssdlc-report.sh index 23bfa599be..f9afa92915 100755 --- a/build/package/gen-ssdlc-report.sh +++ b/build/package/gen-ssdlc-report.sh @@ -28,19 +28,33 @@ if [ -z "${VERSION:-}" ]; then VERSION=$(git tag --list 'atlascli/v*' --sort=-taggerdate | head -1 | cut -d 'v' -f 2) fi +if [ "${AUGMENTED_REPORT}" = "true" ]; then + target_dir="." + file_name="ssdlc-compliance-${VERSION}-${DATE}.md" + SBOM_TEXT=" - See Augmented SBOM manifests (CycloneDX in JSON format): + - This file has been provided along with this report under the name 'linux_amd64_augmented_sbom_v${VERSION}.json' + - Please note that this file was generated on ${DATE} and may not reflect the latest security information of all third party dependencies." + +else # If not augmented, generate the standard report + target_dir="compliance/v${VERSION}" + file_name="ssdlc-compliance-${VERSION}.md" + SBOM_TEXT=" - See SBOM Lite manifests (CycloneDX in JSON format): + - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json" + # Ensure AtlasCLI version directory exists + mkdir -p "${target_dir}" +fi + export AUTHOR export VERSION +export SBOM_TEXT echo "Generating SSDLC checklist for AtlasCLI version ${VERSION}, author ${AUTHOR} and release date ${DATE}..." -# Ensure AtlasCLI version directory exists -mkdir -p "compliance/v${VERSION}" - envsubst < docs/releases/ssdlc-compliance.template.md \ - > "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md" + > "${target_dir}/${file_name}" -echo "SDLC checklist ready. Files in compliance/v${VERSION}/:" -ls -l "compliance/v${VERSION}/" +echo "SDLC checklist ready. Files in ${target_dir}/:" +ls -l "${target_dir}/" echo "Printing the generated report:" -cat "compliance/v${VERSION}/ssdlc-compliance-${VERSION}.md" +cat "${target_dir}/${file_name}" diff --git a/docs/releases/ssdlc-compliance.template.md b/docs/releases/ssdlc-compliance.template.md index 28db093359..acea733014 100644 --- a/docs/releases/ssdlc-compliance.template.md +++ b/docs/releases/ssdlc-compliance.template.md @@ -16,8 +16,7 @@ Overview: - [Kondukto](https://arcticglow.kondukto.io/) - **Dependency Information** - - See SBOM Lite manifests (CycloneDX in JSON format): - - https://github.com/mongodb/mongodb-atlas-cli/releases/download/atlascli%2Fv${VERSION}/sbom.json +${SBOM_TEXT} - **Security Testing Report** - Available as needed from Cloud Security. @@ -27,4 +26,4 @@ Overview: Assumptions and attestations: -- Internal processes are used to ensure CVEs are identified and mitigated within SLAs. \ No newline at end of file +- Internal processes are used to ensure CVEs are identified and mitigated within SLAs.